Azure Germany delivers Azure services from German datacenters with data residency in Germany, and it delivers strict data access and control measures provided through a unique data trustee model governed under German law. Microsoft Cloud Germany is physically based in Germany, adhering to the requirement of German privacy law, which limits the transfer of personal data to other countries and offers protection against access by authorities from other jurisdictions who could violate domestic laws. C5 provides a set of audit standards for cloud service providers but leaves the details of implementation up to the cloud service provider.
IT-Grundschutz supplies the specific methodology to help organizations identify and implement security measures for IT systems and is one of the elements upon which the C5 standards are built. What's the difference between C5 and the IT-Grundschutz Catalogues? However, you need to achieve your own C5 attestation for components outside or built on top of these services. You may use the attestation of Microsoft cloud services as the foundation for any program or initiative that requires C5. Frequently asked questionsĬan I use Microsoft compliance with C5 to help my organization get its own C5 attestation? Azure, Azure Government, and Azure Germanyįor more information about Azure, Dynamics 365, and other online services compliance, see the Germany C5:2020 offering.Microsoft in-scope cloud platforms & services Microsoft Azure, Azure Government, and Azure Germany maintain a combined report (C5, SOC 2 Type 2, CSA STAR Attestation) based on the audit assessment performed by an independent auditor, which demonstrates proof of compliance with C5. According to BSI, a C5 audit can be combined with a SOC 2 audit to reuse parts of the system description and audit results for overlapping controls. Microsoft cloud services are audited at least annually against SOC 2 (AT Section 101) standards. This helps potential cloud customers decide whether the cloud services meet their essential requirements such as compliance with legal requirements like data protection, company policies, or the ability to address the threat of industrial espionage.
As part of an audit, the cloud provider must include a detailed system description and disclose environmental parameters like jurisdiction and data processing location, provision of services, and other certifications issued to the cloud services, and information about the cloud provider's disclosure obligations to public authorities. The BSI also puts emphasis on transparency. The catalog consists of 114 requirements across 17 domains, for example, the organization of information security and physical security, with security requirements basic to all cloud service providers, and other requirements for processing highly confidential data and situations requiring high availability. The purpose of the C5 catalog of requirements is to provide a consistent security framework for certifying cloud service providers and to give customers assurance that their data will be managed securely.Ĭ5 is based on internationally recognized IT security standards like ISO/IEC 27001:2013, the Cloud Security Alliance Cloud Controls Matrix 3.0.1, and BSI's own IT-Grundschutz Catalogues. C5 is also being increasingly adopted by the private sector. C5 is an audited standard that establishes a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with government. In 2016, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) created the Cloud Computing Compliance Controls Catalog (C5).
0 kommentar(er)
